Knowledgebase
Knowledgebase:
Spring4Shell (CVE-2022–22965)
Last modified on 22 May 2022 04:58 PM

This critical vulnerability was disclosed on the 30th March 2022 and impacts the Spring framework (3rd party framework that we use within PaperCut MF and NG from version 20.0.0). This vulnerability is commonly referred to as Spring4Shell or SpringShell. More information can be found on the Spring blog which also references the Spring Framework RCE (remote code execution).

The proof of concept (POC) exploit explained in Spring’s blog post requires Apache Tomcat.

While our products do use the Spring framework, we can confirm that none of the PaperCut products use Tomcat (for example our MF and NG products use Apache Jetty). However we believe it could only be a matter of time until exploits are developed for 3rd party products that we do use. To prevent this having an impact on our customers, we have proactively provided maintenance releases as documented below.

Note: This vulnerability has been fixed in versions 19.2.7, 20.1.6 and 21.2.10 and 22.0.0 and later.

Product Status

Which products are impacted?

Product Version Status Action
PaperCut MF and NG Application Servers & Site Servers 20.x or later

(excluding 20.1.6 and 21.2.10)
Impacted* Upgrade Application Servers and Site Servers to:
- 20.1.6 (if currently using version 20.x)
- 21.2.10 (if currently using version 21.x)
PaperCut MF and NG Application Servers & Site Servers 19.x or earlier Not impacted No action required for Spring4Shell.

However, if you are running 19.2.1 or later, we recommend upgrading due to a separate vulnerability - more details here: PaperCut MF/NG RCE (PC-18750)
PaperCut Hive
PaperCut Pocket
Print Deploy
Mobility Print
PaperCut User Clients
All Not impacted No action required.

* Listed as “Impacted”, even though as mentioned above, the current POC available does not impact PaperCut - we still highly recommend upgrading.

FAQs

Is there any impact from applying this fix?

These maintenance releases include an upgraded version of the Rhino JavaScript engine (release note reference PO-816). As a result of this, print scripting and device scripting are now sandboxed by default.

If you are using print scripting or device scripting, we highly recommend reviewing the KB for more information on these changes.

All other functionality and features will work without any impact.

Where can I get the upgrade?

Please follow your usual upgrade procedure. Additional links on the ‘Check for updates’ page will allow customers to download fixes for previous major versions which are still supported (e.g. 19.2.7, 20.1.6) as well as the current version (21.2.10)

If you are using PaperCut MF, we highly recommend following your regular upgrade process. Your PaperCut partner or reseller information can also be found on the ‘About’ tab in the PaperCut admin interface.

Where are the release notes for these fixes?

You can see the release notes pages for PaperCut MF and NG which list all fixes included per version:

What is the CVSS score for Spring4Shell?

Critical severity (CVSS V3.0 Score 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) vulnerability discovered in the Spring framework.

However, as detailed at the top of this article, the proof of concept (POC) exploit explained in Spring’s blog post requires Apache Tomcat. While our products do use the Spring framework, we can confirm that none of the PaperCut products use Tomcat (for example our MF and NG products use Apache Jetty).

Do the fixes include the latest version of Spring Framework?

No.

  • MF/NG version 19.2.7 uses Spring version 4.3.25
  • MF/NG version 20.1.6 uses Spring version 4.3.29
  • MF/NG version 21.2.10 uses Spring version 4.3.30

Spring has released updates including fixes for this exploit (versions 5.3.18 and 5.2.20), however we are unable to upgrade the framework immediately, due to the complex nature of migrating to this newer version.

We have implemented the Spring-recommended workaround and this fix is included in the maintenance releases listed above. We will be looking to upgrade to a patched version of Spring in a future release.

Is there a mitigation for this if I don’t want to upgrade?

No - there is no manual config or change available at this point - we highly recommend installing the latest maintenance release.

What version of log4j do these builds use?

  • 19.2.7: uses log4j 1.x (not impacted)
  • 20.1.6: uses log4j 1.x (not impacted)
  • 21.2.10: uses log4j 2.17.1 (fixed)

See the Log4Shell (CVE-2021-44228) - How is PaperCut Affected? article for more details on log4j.

Is there a maintenance release for versions 18 or older?

No - versions 18 and older are now end of life, as documented on our End of Life Policy page.

I have a version 19 license and no M&S - can I still get this fix?

Yes! As long as you are running a version which is currently supported (19 and above) you can upgrade to whichever maintenance release version you’re licensed for. For example if you are licensed for version 19 but you don’t have a valid license for version 20, you can update to version 19.2.6 as above.

See our Upgrade Policy page for more information on licensing and upgrades.

I saw versions 19.2.6, 20.1.5 and 21.2.9 available at one point - what happened?

We published maintenance releases 19.2.6, 20.1.5 and 21.2.9 on May 18th 2022. We then became aware that a small number of customers with a specific database configuration had to roll back after encountering an upgrade error, so we pulled these maintenance releases from our website to avoid impacting any additional customers. We then identified and fixed the issue with these builds, and have released the new (fixed) builds of 19.2.7, 20.1.6 and 21.2.10. We apologize for the confusion here - it wasn’t our best moment.

The same security fixes that were in the previous (pulled) builds are now in the fixed builds available on the website. If you are not using MS SQL Server as your database, and you upgraded to one of the now-pulled builds, you’ll be able to continue running that build without any issues.

References